diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 9b791f0..1bff515 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -133,7 +133,7 @@ jobs: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} PR_NUMBER: ${{ github.event.number }} GITHUB_REPOSITORY: ${{ github.repository }} - run: bash scripts/ci-guards/coverage-pr-comment.sh + run: bash scripts/coverage-pr-comment.sh # Bundle P / Strengthening #6 — QA-doc drift guards. Forces every PR # that adds a Part to docs/testing-guide.md OR a seed row to @@ -327,7 +327,7 @@ jobs: # placeholders). Collapsed to one job that brings up all 11 sidecars # at once and runs the full VendorEdge_ test set. # - # Skip-detection guard (scripts/ci-guards/vendor-e2e-skip-check.sh) + # Skip-detection guard (scripts/vendor-e2e-skip-check.sh) # enforces that no test SKIPs except the documented allowlist # (windows-iis-requiring tests on Linux). If a sidecar fails to come # up, requireSidecar() in deploy/test/vendor_e2e_helpers.go calls @@ -387,7 +387,7 @@ jobs: # lines in the test output and fails the build if it exceeds the # allowlist (windows-iis-requiring tests; legitimately skipped # on Linux per Phase 6 / frozen decision 0.5). - run: bash scripts/ci-guards/vendor-e2e-skip-check.sh test-output.log + run: bash scripts/vendor-e2e-skip-check.sh test-output.log - name: Tear down sidecars if: always() diff --git a/scripts/ci-guards/README.md b/scripts/ci-guards/README.md index e547046..0b173eb 100644 --- a/scripts/ci-guards/README.md +++ b/scripts/ci-guards/README.md @@ -16,8 +16,11 @@ Every script in this directory MUST: 1. Be exit-code 0 on a clean repo (no regression present). 2. Be exit-code non-zero on regression, with a `::error::` annotation prefix so PR reviewers see the failing line in the GitHub Actions UI. -3. Be runnable from repo root via `bash scripts/ci-guards/.sh` — - no implicit `cd` requirement, no env-var requirement. +3. **Be runnable from repo root via `bash scripts/ci-guards/.sh` + with NO arguments and NO env-var requirements.** The CI loop step + (`for g in scripts/ci-guards/*.sh; do bash "$g"; done`) iterates + every `.sh` here without args; any script that requires an arg or + env var WILL fail in that loop. 4. Carry a head-comment block matching the in-source justification from the original ci.yml entry: the audit-finding reference, the closure rationale, the exempt-surface list (if any). @@ -25,6 +28,22 @@ Every script in this directory MUST: 6. Produce no output on the happy path beyond a final `echo ": clean."` confirmation line. +### Helpers vs guards + +Scripts that consume input artifacts (a test-output log, a +`coverage.out` file) or env vars (`PR_NUMBER`, `GH_TOKEN`) are +HELPERS, not guards. They live in `scripts/`, NOT `scripts/ci-guards/`. + +Current helpers: +- `scripts/vendor-e2e-skip-check.sh` — consumes `test-output.log` + arg from the deploy-vendor-e2e job +- `scripts/coverage-pr-comment.sh` — consumes `coverage.out` + + `PR_NUMBER` + `GH_TOKEN` env from the go-build-and-test job +- `scripts/check-coverage-thresholds.sh` — consumes `coverage.out` + + `.github/coverage-thresholds.yml` +- `scripts/qa-doc-part-count.sh` + `scripts/qa-doc-seed-count.sh` — + invoked via `make verify-docs` pre-tag, not in CI + ## Adding a new guard 1. Drop a new `.sh` in this directory with the head-comment block diff --git a/scripts/ci-guards/coverage-pr-comment.sh b/scripts/coverage-pr-comment.sh similarity index 90% rename from scripts/ci-guards/coverage-pr-comment.sh rename to scripts/coverage-pr-comment.sh index c8ff4af..13831ce 100755 --- a/scripts/ci-guards/coverage-pr-comment.sh +++ b/scripts/coverage-pr-comment.sh @@ -1,5 +1,5 @@ #!/usr/bin/env bash -# scripts/ci-guards/coverage-pr-comment.sh +# scripts/coverage-pr-comment.sh # # Post a per-package coverage table as a PR comment on every PR. # Self-hosted alternative to Codecov / Coveralls (per ci-pipeline-cleanup @@ -9,6 +9,11 @@ # in place if one already exists (avoids duplicate noise on subsequent # pushes to the same PR). # +# Lives in scripts/ (not scripts/ci-guards/) because it's a helper that +# consumes coverage.out + GH env vars — not a regression guard runnable +# bare. The scripts/ci-guards/ contract requires bare-callable, no-arg, +# no-env scripts. See scripts/ci-guards/README.md. +# # Required env: # GH_TOKEN — secrets.GITHUB_TOKEN # PR_NUMBER — github.event.number diff --git a/scripts/ci-guards/vendor-e2e-skip-allowlist.txt b/scripts/vendor-e2e-skip-allowlist.txt similarity index 97% rename from scripts/ci-guards/vendor-e2e-skip-allowlist.txt rename to scripts/vendor-e2e-skip-allowlist.txt index fa4dcee..a3224e7 100644 --- a/scripts/ci-guards/vendor-e2e-skip-allowlist.txt +++ b/scripts/vendor-e2e-skip-allowlist.txt @@ -1,4 +1,4 @@ -# scripts/ci-guards/vendor-e2e-skip-allowlist.txt +# scripts/vendor-e2e-skip-allowlist.txt # # Test names that are EXPECTED to skip on Linux ubuntu-latest CI runners. # Each entry: one Go test function name per line. Lines starting with `#` diff --git a/scripts/ci-guards/vendor-e2e-skip-check.sh b/scripts/vendor-e2e-skip-check.sh similarity index 77% rename from scripts/ci-guards/vendor-e2e-skip-check.sh rename to scripts/vendor-e2e-skip-check.sh index 75bfd93..fc0bcc6 100755 --- a/scripts/ci-guards/vendor-e2e-skip-check.sh +++ b/scripts/vendor-e2e-skip-check.sh @@ -1,9 +1,9 @@ #!/usr/bin/env bash -# scripts/ci-guards/vendor-e2e-skip-check.sh +# scripts/vendor-e2e-skip-check.sh # # Counts `^--- SKIP:` lines in the vendor-e2e test output and fails # the build if any test skipped that's NOT in the allowlist at -# scripts/ci-guards/vendor-e2e-skip-allowlist.txt. +# scripts/vendor-e2e-skip-allowlist.txt. # # Per ci-pipeline-cleanup bundle Phase 5 / frozen decision 0.6. # requireSidecar() in deploy/test/vendor_e2e_helpers.go uses @@ -12,12 +12,20 @@ # one fails to start, the affected tests skip silently. This # guard catches that. # -# Usage: bash scripts/ci-guards/vendor-e2e-skip-check.sh +# Lives in scripts/ (not scripts/ci-guards/) because it's a +# helper that consumes a test-output log produced by a specific +# CI step — not a regression guard runnable bare. The +# scripts/ci-guards/ contract requires bare-callable, no-arg +# scripts. See scripts/ci-guards/README.md. +# +# Usage: bash scripts/vendor-e2e-skip-check.sh set -e -LOG="${1:-test-output.log}" -ALLOWLIST="scripts/ci-guards/vendor-e2e-skip-allowlist.txt" +# Mandatory arg — fail loud at parse time rather than when the file +# is missing (avoids the silent-default footgun). +LOG="${1:?usage: $0 }" +ALLOWLIST="scripts/vendor-e2e-skip-allowlist.txt" if [ ! -f "$LOG" ]; then echo "::error::test output log not found: $LOG"